Privacy Policy

TRACKNANA

Last Updated: March 6, 2026

www.tracknana.com · contact@tracknana.com

This Privacy Policy describes how Tracknana collects, uses, stores, shares, and protects Your personal information when You use Our Service.

1. Introduction

This Privacy Policy ("Policy") describes the practices of Tracknana, operated by Nathan Moreira Detoni, based in Mamborê, Paraná, Brazil ("Company", "We", "Us", or "Our"), regarding the collection, use, storage, disclosure, and protection of personal information when You use the Tracknana application, website (www.tracknana.com), and all related services (collectively, the "Service").

This Policy applies to all Users of the Service in the following countries ("Covered Jurisdictions"): Brazil, the United States of America, Mexico, Argentina, Guatemala, Peru, Chile, Uruguay, Paraguay, Colombia, Costa Rica, Panama, Bolivia, Ecuador, Suriname, Belize, Nicaragua, Honduras, and El Salvador.

By creating an Account and using the Service, You acknowledge that You have read, understood, and consent to the collection and processing of Your information as described in this Policy. If You do not agree with this Policy, please do not use the Service.

We use the terms "Personal Data" and "Personal Information" interchangeably throughout this Policy unless a specific law requires a particular term.

2. Definitions

  • "Account" means the unique account registered with a username, email address, and password to access the Service.
  • "Ad Platforms" means Google Ads, Meta Ads (Facebook/Instagram), and TikTok Ads.
  • "Cookies" means small text files placed on Your Device by the Service to store preferences and session information.
  • "Device" means any electronic device used to access the Service.
  • "Lead Data" means information received via webhooks from Payment Platforms, stored in Our database for lead management.
  • "Customer Data" means Lead Data aggregated by email address to create unified customer profiles.
  • "Payment Platforms" means Hotmart, Kiwify, Stripe, Eduzz, Clickbank, PerfectPay, Braip, Monetizze, Kivana, Ticto, Cartpanda, Yampi, and Nuvemshop.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Service Provider" means a third party that processes data on behalf of the Company.
  • "Usage Data" means data collected automatically from use of the Service, including IP address, browser type, pages visited, and timestamps.
  • "Webhook Data" means all data received through webhook endpoints configured by the User.

3. Data Controller

The data controller responsible for processing Your Personal Data in connection with the Service is Nathan Moreira Detoni, an individual operating under the trade name Tracknana, based in Mamborê, Paraná, Brazil. For questions or to exercise Your rights, contact Us at:

4. Personal Data We Collect

4.1 Information You Provide Directly

4.1.1 Account Registration Data

When You create an Account, We collect:

  • Username;
  • Email address;
  • Password (stored in hashed and salted form — We never store plaintext passwords).

Upon registration, We send a verification email to the address You provided. We generate and temporarily store an email verification token to confirm ownership of the email address. We also generate temporary tokens for password reset requests. These tokens are short-lived and automatically expire after use or after a fixed time period.

4.1.2 Payment Information

When You subscribe to a paid plan (Solo, Pro, or Enterprise), payment is processed by Stripe. We receive from Stripe:

  • Subscription status and plan type;
  • Billing dates and payment history;
  • A truncated card identifier (last 4 digits) for display purposes only.

We do not receive, process, or store Your full credit card number, CVV, or other sensitive payment credentials. All payment data is handled by Stripe in compliance with PCI-DSS standards. We issue an invoice or fiscal receipt (NFS-e for Users in Brazil) at the time each payment is confirmed. Invoice records, including the invoice number, amount, date, and associated Account identifier, are retained for up to 60 months for tax and financial compliance purposes. In the event of a refund, the corresponding invoice is canceled and a cancellation receipt or credit note is issued.

4.1.3 Two-Factor Authentication Data

If You enable TOTP two-factor authentication, We store: (a) a TOTP secret key associated with Your Account, encrypted at rest; and (b) a set of one-time recovery codes, stored as bcrypt hashes (not in plaintext). Recovery codes allow You to access Your Account if You lose access to Your TOTP device; each code can only be used once. Both the TOTP secret and recovery code hashes are permanently deleted when You disable 2FA or delete Your Account.

4.1.4 User Preferences

We store Your interface preferences to personalize Your experience, including:

  • Theme preference (light or dark mode);
  • Language preference (English, Portuguese, or Spanish);
  • Whether You have completed the initial language setup.

These preferences are stored in Your Account record and deleted when Your Account is deleted.

4.1.5 UTM and Webhook Configuration Data

We store UTM parameters, tracking links, and webhook endpoint configurations that You create within the Service.

4.1.6 UTM Tracking Script (Client-Side Only — No Data Collected by Tracknana)

Tracknana provides a JavaScript tracking script (the "UTM Tracking Script") that Users may embed on third-party checkout pages (e.g., Payment Platform checkout links) via a standard HTML script src tag. This script reads the following UTM parameters from the visitor's browser URL: utm_source, utm_medium, utm_campaign, utm_content, utm_term, and utm_id. The script does not read or capture advertising platform click identifiers (such as gclid, fbclid, or ttclid). The captured UTM values are stored in the visitor's browser localStorage for up to 30 days and a single "src" parameter (containing the utm_id or utm_campaign value) is injected into detected checkout links on the page to enable conversion attribution.

Important: The UTM Tracking Script operates entirely within the visitor's browser (client-side). It does not transmit any data to Tracknana's servers and does not set cookies. The script uses the visitor's browser localStorage to persist UTM parameter values and a timestamp for up to 30 days; it does not use session storage and does not fingerprint or uniquely identify individual visitors. The script includes built-in validation that automatically rejects values containing personal data patterns such as email addresses, phone numbers, tax identification numbers (CPF/CNPJ), credit card numbers, and URLs. The stored data consists solely of sanitized UTM parameter values and contains no personally identifiable information. Tracknana does not collect, receive, store, or process any personal data of checkout page visitors through the UTM Tracking Script. However, the "src" parameter injected into checkout links may be forwarded to Tracknana as part of Webhook Data when the Payment Platform includes it in its webhook payload (see Section 4.2.4).

The User who deploys the UTM Tracking Script is solely responsible for: (a) disclosing the use of the script in their own privacy policy or notice; (b) obtaining any required consent from checkout page visitors as mandated by applicable data protection laws; and (c) ensuring compliance with the terms of service of the Payment Platform or website hosting the checkout page.

4.2 Information Collected Through Integrations

4.2.1 Ad Platform Data (Partially Stored)

When You link Your Google, Meta, or TikTok accounts, We access Your advertising campaign data, ad group data, individual ad data, and associated metrics via the respective platform APIs in real time. The full campaign data displayed to You is retrieved on demand and is not stored on Our servers. However, We store the following limited subsets of campaign data:

  • Aggregated Daily Metric Snapshots: We record daily aggregated metrics (spend, impressions, clicks, and conversions per platform per day) in a time-series database. This data powers the LLM Feature (AI Campaign Assistant) and dashboard overview analytics. These snapshots are automatically deleted after 90 days;
  • Monitored Campaign Snapshots: For campaigns You choose to monitor via Telegram alerts, We store the campaign identifier, campaign name, latest metric snapshot, alert thresholds, and alert timestamps. This data is retained for the duration of the monitoring configuration and deleted when the monitoring is disabled or Your Account is deleted.

4.2.2 Google Analytics Data (NOT Stored)

When You link Your Google account, We access Your Google Analytics property data, including custom funnel visualizations, via the Google Analytics API. This data is NOT stored on Our servers.

4.2.3 Ad Creative Data (NOT Stored)

When You view or compare ad creatives, We retrieve this data via Ad Platform APIs. Creative assets and associated metrics are NOT stored on Our servers.

4.2.4 Webhook Data (Stored)

When You configure webhook receivers and connect them with Payment Platforms, the incoming webhook payloads are stored in Our database. This typically includes:

  • Customer/buyer email address;
  • Customer/buyer name;
  • Customer/buyer phone number (if provided by the Payment Platform);
  • Transaction amount and payment status (e.g., approved, pending, refunded, chargeback, abandoned, canceled, completed, expired);
  • Event type (e.g., sale, subscription, abandoned cart);
  • Transaction identifier (as assigned by the Payment Platform);
  • Product name;
  • Attribution data: campaign identifier (src parameter), UTM parameters (utm_source, utm_campaign, utm_medium, utm_content, utm_term), originating ad platform, and ad account identifier;
  • Timestamp of the event.

This Webhook Data is used to populate the Leads section and Customer profiles in Your Dashboard. You are responsible for ensuring that the data received through webhooks is collected and processed in compliance with applicable data protection laws.

4.3 Information Collected Automatically

4.3.1 Usage Data

We automatically collect Usage Data when You access the Service, including:

  • IP address;
  • Browser type and version;
  • Operating system;
  • Pages viewed within the Service and time spent on each;
  • Date and time of access;
  • Device type and unique device identifiers;
  • Referring URL.

4.3.2 Cookies and Tracking Technologies

We use the following types of cookies:

Essential Cookies (Session): Required for authentication, session management, and core Service functionality. These cannot be disabled without impairing the Service.

Preference Cookies (Persistent): Store Your settings, language preferences, and login details to personalize Your experience.

Analytics Cookies (Persistent): Used to understand how the Service is used, track feature adoption, and improve performance. These are only activated with Your consent where required by law.

You can manage cookie preferences through Your browser settings. Disabling essential cookies may impair Service functionality.

4.4 Information from Third Parties

4.4.1 Stripe

We receive subscription and billing status information from Stripe as described in Section 4.1.2.

4.4.2 LLM Feature (OpenAI)

When You use the AI Campaign Assistant, the aggregated daily metric snapshots stored in Our database (as described in Section 4.2.1) are used to build a JSON summary of Your last 30 days of campaign metrics, which is sent to OpenAI's GPT-4o-mini model for processing. The underlying daily metric snapshots are retained for up to 90 days and automatically deleted thereafter. OpenAI processes the transmitted summary pursuant to their data usage policies.

5. How We Use Your Personal Data

We process Your Personal Data for the following purposes and on the following legal bases:

PurposeData UsedLegal Basis
Provide and maintain the ServiceAccount data, Usage DataContract performance; Legitimate interest
Process payments and manage subscriptionsPayment info via StripeContract performance
Display ad campaigns and analyticsThird-party API data (real-time); aggregated daily snapshots (stored 90 days)Contract performance; Consent (account linking)
Store and display Leads/CustomersWebhook Data from Payment PlatformsContract performance; Legitimate interest
AI campaign analysis (LLM Feature)Stored daily metric snapshots (up to 90 days), sent as JSON summaryConsent (explicit use of feature)
Send campaign notifications via TelegramCampaign metrics, Telegram deep linkConsent
Account security (2FA)TOTP secret key, recovery code hashesLegitimate interest; Security
Analytics and Service improvementUsage Data, CookiesLegitimate interest; Consent (where required)
Comply with legal obligationsAs required by lawLegal obligation
Communicate with YouEmail addressContract performance; Legitimate interest

We will not use Your Personal Data for purposes materially different from those described above without providing You notice and, where required, obtaining Your consent.

6. Data We Do Not Collect or Store

For transparency, the following categories of data are explicitly NOT collected or stored by Tracknana:

  • Full credit card numbers, CVVs, or bank account details (handled exclusively by Stripe);
  • Full ad campaign data from Google Ads, Meta Ads, or TikTok Ads beyond the aggregated daily metric snapshots and monitored campaign data described in Section 4.2.1;
  • Google Analytics property data (retrieved via API in real time, not stored);
  • Ad creative assets or their metrics (retrieved via API in real time, not stored);
  • The transient JSON summary sent to OpenAI for the LLM Feature;
  • Biometric data, health data, or government-issued identification numbers;
  • Precise geolocation data beyond IP-based approximate location;
  • Any personal data from visitors of checkout pages where the UTM Tracking Script is deployed.

7. How We Share Your Personal Data

7.1 Service Providers

We share Your data with the following categories of Service Providers, solely to the extent necessary to provide the Service:

ProviderPurposeData Shared
Stripe, Inc.Payment processingSubscription plan, billing info
OpenAILLM Feature (AI assistant)30-day campaign metric JSON
Cloud hosting providerServer infrastructureAll stored data (encrypted)
Google APIsAds and Analytics integrationOAuth tokens (no user data sent)
Meta APIsAds integrationOAuth tokens (no user data sent)
TikTok APIsAds integrationOAuth tokens (no user data sent)
Telegram Bot APICampaign notificationsCampaign metrics, deep link ID

7.2 Legal and Compliance Disclosures

We may disclose Your Personal Data if required to do so by law or in response to valid legal process, including:

  • Court orders, subpoenas, or other compulsory legal processes;
  • Requests from government agencies or law enforcement authorities;
  • To protect the rights, property, or safety of Tracknana, Our Users, or the public;
  • To investigate or prevent suspected fraud, security threats, or violations of these Terms.

7.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of Our assets, Your Personal Data may be transferred to the acquiring entity. We will notify You before Your Personal Data is transferred and becomes subject to a different privacy policy.

7.4 No Sale of Personal Data

We do not sell, rent, or trade Your Personal Data to third parties for monetary or other valuable consideration. This applies across all Covered Jurisdictions, including for purposes of the CCPA/CPRA definition of "sale" and "sharing."

8. Data Retention

We retain Your Personal Data only as long as necessary for the purposes described in this Policy. Specific retention periods are as follows:

Data CategoryRetention PeriodReason
Account Data (username, email, hashed password)Duration of account + up to 24 months post-deletionPost-termination disputes, legal compliance
Webhook Data (Leads, Customers)Duration of account; deleted upon account deletionCore Service functionality
Payment/Billing Records and InvoicesUp to 60 months after last transactionTax and financial compliance
Usage Data (analytics, logs)Up to 24 months from collectionSecurity, analytics, improvement
Support TicketsUp to 24 months from closureQuality assurance, dispute resolution
Cookies (session)Deleted upon browser session endSession management
Cookies (persistent)Up to 12 monthsPreferences, analytics
Aggregated Campaign Metric SnapshotsUp to 90 days (auto-deleted)LLM Feature, dashboard analytics
Monitored Campaign SnapshotsDuration of monitoring; deleted on disable or account deletionTelegram campaign alerts
TOTP 2FA SecretDuration of account; deleted upon disabling or account deletionAccount security

When retention periods expire, We securely delete or anonymize the data. Residual copies may persist in encrypted backups for a limited period consistent with Our backup schedule before automatic purging.

9. Data Security

We implement industry-standard technical and organizational measures to protect Your Personal Data, including:

  • Encryption in transit (TLS/HTTPS) for all communications between Your Device and Our servers;
  • Encryption at rest for sensitive data, including passwords (bcrypt hashing with salting) and TOTP secrets;
  • Regular security assessments and vulnerability scanning;
  • Access controls limiting employee and contractor access to Personal Data on a need-to-know basis;
  • Secure server infrastructure located in Virginia, United States, with physical and network security controls;
  • Incident response procedures for potential data breaches.

While We implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of Your data.

10. International Data Transfers

Our servers are located in Virginia, United States. If You are located outside the United States, Your Personal Data will be transferred to and processed in the United States.

We ensure that international data transfers are conducted with appropriate safeguards, including:

  • Encryption of data in transit and at rest;
  • Contractual obligations with Service Providers requiring them to maintain adequate data protection standards;
  • Compliance with applicable cross-border transfer requirements under the laws of Your Covered Jurisdiction.

By using the Service, You consent to the transfer of Your data to the United States. If Your local law requires specific mechanisms for international data transfers (such as standard contractual clauses or binding corporate rules), We will implement such mechanisms upon request where feasible.

11. Your Privacy Rights

11.1 Rights Available to All Users

Regardless of Your location within the Covered Jurisdictions, You have the following rights:

  • Right to Access: Request a copy of the Personal Data We hold about You;
  • Right to Correction: Request correction of inaccurate or incomplete Personal Data;
  • Right to Deletion: Request deletion of Your Personal Data, subject to legal retention obligations;
  • Right to Data Portability: Request Your data in a structured, commonly used, machine-readable format;
  • Right to Withdraw Consent: Withdraw consent for data processing at any time, without affecting the lawfulness of processing prior to withdrawal;
  • Right to Object: Object to processing based on legitimate interests;
  • Right to Restriction: Request restriction of processing under certain circumstances.

You may exercise any of the above rights by contacting Us at contact@tracknana.com or through Your Account settings (where applicable, such as account deletion and password changes).

11.2 Brazil (LGPD — Lei Geral de Proteção de Dados)

If You are located in Brazil, You have the following additional rights under the LGPD (Article 18):

  • Confirmation of the existence of data processing;
  • Access to Your data;
  • Correction of incomplete, inaccurate, or outdated data;
  • Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data;
  • Portability of Your data to another service or product provider;
  • Deletion of data processed with Your consent;
  • Information about public and private entities with which Your data has been shared;
  • Information about the possibility of denying consent and the consequences thereof;
  • Revocation of consent.

We process Your data under the legal bases permitted by the LGPD, including consent, contract performance, legitimate interest, and legal obligation. You may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) if You believe Your rights have been violated.

11.3 United States

11.3.1 California Residents (CCPA/CPRA)

If You are a California resident, You have the following rights:

  • Right to Know: What Personal Information We collect, use, disclose, and sell (We do not sell);
  • Right to Delete: Request deletion of Your Personal Information;
  • Right to Correct: Request correction of inaccurate Personal Information;
  • Right to Opt-Out of Sale/Sharing: We do not sell or share Personal Information as defined by CCPA/CPRA;
  • Right to Limit Use of Sensitive Personal Information;
  • Right to Non-Discrimination: We will not discriminate against You for exercising Your rights.

Categories of Personal Information we collect (CCPA categories): Identifiers (username, email, IP address); Internet or electronic network activity (Usage Data); Commercial information (subscription plan, billing history).

We do not use or disclose sensitive Personal Information for purposes other than those permitted under the CCPA/CPRA.

To submit a verifiable consumer request, contact Us at contact@tracknana.com. We will respond within 45 days, with a possible 45-day extension upon notice.

11.3.2 CalOPPA Compliance

In compliance with the California Online Privacy Protection Act (CalOPPA):

  • This Privacy Policy is conspicuously accessible from Our homepage;
  • The link to this Policy contains the word "Privacy";
  • You will be notified of any material changes to this Policy;
  • You can manage Your Personal Information through Your Account settings;
  • We honor Do Not Track (DNT) browser signals where technically feasible.

11.3.3 COPPA Compliance

The Service is not directed to children under thirteen (13) years of age. We do not knowingly collect Personal Information from children under 13. If We discover that We have inadvertently collected such information, We will promptly delete it. If You believe a child under 13 has provided Us with Personal Information, please contact Us immediately at contact@tracknana.com.

11.4 Mexico (LFPDPPP)

If You are located in Mexico, You have the following rights under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP):

  • ARCO Rights: Access, Rectification, Cancellation, and Opposition;
  • Right to revoke consent for data processing;
  • Right to limit the use or disclosure of Your Personal Data.

To exercise ARCO rights, submit a written request to contact@tracknana.com including: Your full name, a description of the data and rights You wish to exercise, and any supporting documentation. We will respond within twenty (20) business days.

This Privacy Policy serves as Our Aviso de Privacidad (Privacy Notice) as required by the LFPDPPP.

11.5 Argentina (LPDP — Law No. 25,326)

If You are located in Argentina, You have the rights of access, rectification, and suppression of Your Personal Data. The Agencia de Acceso a la Información Pública (AAIP) is the supervisory authority. You may exercise these rights by contacting Us at contact@tracknana.com.

11.6 Colombia (Ley 1581 de 2012)

If You are in Colombia, You have the right to know, update, rectify, and delete Your Personal Data, as well as the right to revoke consent. The Superintendencia de Industria y Comercio (SIC) is the supervisory authority.

11.7 Chile (Ley No. 19,628)

If You are in Chile, You have rights of access, rectification, cancellation, and opposition regarding Your Personal Data.

11.8 Peru (Ley No. 29,733)

If You are in Peru, You have the rights of information, access, rectification, cancellation, and opposition. The Autoridad Nacional de Protección de Datos Personales is the supervisory authority.

11.9 Uruguay (Ley No. 18,331)

If You are in Uruguay, You have the rights of access, rectification, inclusion, suppression, and opposition. The Unidad Reguladora y de Control de Datos Personales (URCDP) is the supervisory authority.

11.10 Costa Rica (Ley No. 8,968)

If You are in Costa Rica, You have rights of access, rectification, and deletion. The Agencia de Protección de Datos de los Habitantes (PRODHAB) is the supervisory authority.

11.11 Panama (Law No. 81 of 2019)

If You are in Panama, You have rights of access, rectification, cancellation, and opposition under the Personal Data Protection Law.

11.12 Other Covered Jurisdictions

If You are located in Paraguay, Bolivia, Ecuador, Guatemala, Suriname, Belize, Nicaragua, Honduras, or El Salvador, applicable local data protection laws apply. You may exercise any rights granted by Your local laws by contacting Us at contact@tracknana.com. We commit to responding within the timeframes required by Your applicable law.

12. Account Deletion and Your Data

You may delete Your Account at any time through Your Account settings. Upon account deletion:

  • Your profile data (username, email, hashed password) will be permanently deleted from Our active systems;
  • All Webhook Data (Leads and Customer data) will be permanently deleted;
  • All webhook configurations, UTM parameters, and custom settings will be deleted;
  • All stored campaign metric snapshots, monitored campaign configurations, Telegram alert rules, and dashboards will be permanently deleted;
  • Linked Third-Party Service connections (Google, Meta, TikTok) will be revoked;
  • TOTP two-factor authentication secrets and recovery code hashes will be deleted;
  • Active paid subscriptions will be canceled through Stripe.

Residual data may persist in encrypted backups for a limited period consistent with Our backup schedule before automatic purging. Payment and billing records may be retained for up to 60 months to comply with tax and financial regulatory obligations.

13. Children's Privacy

The Service is not intended for use by anyone under the age of eighteen (18). We do not knowingly collect Personal Data from children under 18. In compliance with the Children's Online Privacy Protection Act (COPPA), We specifically do not target or knowingly collect information from children under thirteen (13).

If You are a parent or guardian and believe Your child has provided Us with Personal Data, please contact Us immediately at contact@tracknana.com. If We discover that We have collected Personal Data from a child in violation of applicable law, We will take immediate steps to delete such data.

14. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services not operated by Us. We are not responsible for the privacy practices of these third parties. We encourage You to review the privacy policies of any third-party service You access through the Service.

15. Do Not Track Signals

We honor Do Not Track (DNT) browser signals where technically feasible. When We detect a DNT signal, We limit data collection to essential cookies and Service functionality data. For analytics cookies, We treat a DNT signal as equivalent to opting out.

16. Automated Decision-Making

The LLM Feature provides AI-generated insights about Your advertising campaigns. These outputs are informational only and do not constitute automated decision-making or profiling that produces legal or similarly significant effects on You. No automated decisions are made regarding Your Account status, subscription, or access to features.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When We make material changes, We will:

  • Post the updated Policy on Our website with a new "Last Updated" date;
  • Notify You via email at the address associated with Your Account;
  • Where required by law, obtain Your renewed consent before implementing changes that affect how We process Your data.

We encourage You to review this Policy periodically. Your continued use of the Service after the updated Policy becomes effective constitutes Your acceptance of the changes.

18. Data Breach Notification

In the event of a data breach that poses a risk to Your rights and freedoms, We will:

  • Notify affected Users via email within seventy-two (72) hours of becoming aware of the breach, or as otherwise required by applicable law;
  • Notify the relevant data protection authority as required by applicable law (e.g., ANPD in Brazil, INAI in Mexico);
  • Provide information about the nature of the breach, the data affected, the likely consequences, and the measures We have taken or propose to take to mitigate the effects.

19. Contact Information

If You have any questions, concerns, or requests regarding this Privacy Policy or the processing of Your Personal Data, You may contact Us:

For privacy-related complaints, You may also contact the relevant data protection authority in Your jurisdiction as referenced in Section 11 above.

By creating an Account or using the Service, You acknowledge that You have read, understood, and agree to this Privacy Policy.